Mass attack on WordPress sites targets bug in WooCommerce plugin – SC Media
Threat actors have carried out large-scale attacks against hundreds of thousands of WordPress websites, exploiting a recently patched vulnerability in the popular WooCommerce Payments ecommerce plugin.
The campaign, carried out by unidentified hackers, began on July 14 and peaked at 1.3 million attacks against 157,000 sites on July 16, according to a Monday post by Ram Gall, threat analyst at WordPress security firm Wordfence.
WooCommerce Payments is installed on over 600,000 WordPress sites to enable payment processing. The attackers seek to exploit a critical vulnerability, patched in March, that enables adversaries to gain unauthorized administrator access via the plugin.
The vulnerability, tracked as CVE-2023-28121, has a CVSS v3 rating of 9.8, making it “an appealing target” for threat actors, Gall wrote.
“These attacks demonstrate significantly more sophistication than similar attacks we’ve seen in the past, including reconnaissance ahead of the main wave of attacks and multiple methods of maintaining persistence using functionality available to administrator-level users,” he wrote, adding that “Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites.”
Wordfence observed more than 213,000 attacks originating from one IP address: 194.169.175.93, while more than 150,000 further attacks were noted from a handful of other addresses.
Once the threat actors were able to gain administrator privileges, they were often observed attempting to install the WP Console plugin, which can be used to execute malicious code and place a file uploader on a compromised system in order to establish persistence.
Earlier this month, Julien Ahrens of RCE Security published a technical blog analyzing the WooCommerce vulnerability and demonstrating a proof of concept used to exploit it.
“Since we can impersonate administrative users, it is quite easy to compromise the entire WordPress instance,” he wrote.
Gall said Wordfence began seeing “early warning signs” of the threat actor’s campaign prior to the main wave of attacks between July 14 and 16.
The attackers searched millions of sites to see if there was a readme.txt file located in the wp-content/plugins/woocommerce-payments/ directory. If there was, it was a strong indicator that the vulnerable plugin was installed.
In March, WooCommerce shipped a fix for the vulnerability and worked with WordPress to auto-update and patch sites running versions 4.8.0 through 5.6.1 of the WooCommerce Payments plugin.
All websites that have versions 4.8.0 or higher of the plugin installed and activated, but are not hosted on WordPress.com and have not been updated to a patched version, remain potentially at risk from the vulnerability.
Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.
Laura French
The feature will no longer be on by default and will come with additional security measures.
SC Staff
Officials at the Los Angeles Unified School District, which is the U.S.'s second-largest public school district, have announced an ongoing investigation into a breach claimed by a threat actor to have resulted in the compromise of more than 11 GB of data being sold for $1,000 on a hacking forum, according to BleepingComputer.
SC Staff
Colorado-based optometric and ophthalmic management services provider Panorama Eyecare had information from 377,911 current and former patients and employees compromised following a cyberattack last year claimed by the LockBit ransomware operation, which purported the theft of nearly 800 GB of data, reports The Record, a news site by cybersecurity firm Recorded Future.
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2024 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.
source